On Fri, Sep 05, 2014 at 09:46:18AM +0100, Hani Benhabiles wrote:
> On Wed, Sep 03, 2014 at 05:44:17PM +0100, Stefan Hajnoczi wrote:
> Also, so mean of verification is required (otherwise, back to point 0 being
> vulnerable to sslstrip style attacks) either that the server's cert is signed
> with a certain (self-generated) CA certificate or that it matches a certain
> fingerprint. Doing it similarly on the server-side would allow hitting a 2nd
> bird (authentication.)
Yes, client and server side certificates are needed.
Here are the SPICE TLS options in QEMU:
tls-port=<nr>
Set the TCP port spice is listening on for encrypted channels.
x509-dir=<dir>
Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir
x509-key-file=<file>
x509-key-password=<file>
x509-cert-file=<file>
x509-cacert-file=<file>
x509-dh-key-file=<file>
The x509 file names can also be configured individually.
tls-ciphers=<list>
Specify which ciphers to use.
I guess NBD would need similar options althoug I haven't investigated
TLS in depth yet.
Stefan
Attachment:
pgpwNrYyhs3Fh.pgp
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list